The WordPress Developer’s Guide to Security: Installation

Over the course of the next few weeks, we’ll be running a series all about WordPress security as it pertains to developers. Seriously, everything you ever wanted to know – or didn’t even know you wanted to know – will be covered here, in detail. And there’ll be plenty of insights from bonafide security experts to keep this whole thing legit.

The first part in this five-part series will cover your first step in securing WordPress: Installation. As more posts in the series are published, I’ll update this post with the appropriate links below.

Part 1: Installation

Part 2: Updates

Part 3: Management & Logins

Part 4: Security & Backup Plugins

Part 5: Roundup

Now, grab a pen and paper and get ready to take some notes. It’s time to go to school on WordPress security. And everything related to installation will be my focus today.

Selecting the Right Host

A secure WordPress installation starts with selecting the right host. Without a secure, reputable host on which to place your site, your security efforts can only go so far. Now technically, since WordPress uses PHP and MySQL, any host that offers a Linux environment would suffice, says Damon Burton, director of SEO National. However, he does suggest avoiding GoDaddy and Yahoo! as hosts. “Their hosting environments are aimed at being simplistic in nature, so much so that it causes them to be restrictive,” he says. “This means that they are not user friendly for doing anything beyond WordPress basics.”

So, if you tried to modify settings to manually improve security, doing so would be very difficult on these types of restrictive hosts.

“The primary thing to be concerned about with shared hosting,” says Marcus Hildum, lead security engineer for DreamHost, “is ensuring your provider has correct Unix permissions set.” Basically, you don’t want to have access to other people’s files or vice versa. “After that,” says Hildum, you can do several things to make a WordPress installation more secure, like use “web application firewalls, easy SSL support and regular site scans.”

Most security professionals recommend using a host that offers VPS. In fact, that’s precisely what Tony Perez, co-founder and CEO of Sucuri uses. He also utilizes a website firewall to, “repel attacks before they ever get to my server,” he says, adding that, “this helps address a number of things, specifically software vulnerabilities[…]and it also helps me save server resources.” These effects all fall under Perez’s “protection” category of WordPress security. Unfortunately, this is where a lot of people stop and that’s just not good enough.

He elaborates by comparing it to physical security: “…they have cameras, security guards, metal detectors, yet theft still happens.” To ramp up security further, Perez uses tools to keep tabs on the state of his site’s security. These tools show him who’s logging in, who’s making changes to posts, and so forth. It also reveals WHOIS, DNS and malware activity. “Each one of these things are designed to capture various aspects of the security spectrum, and things many don’t account for,” he says. He recommends Sucuri Scanner for performing site audits, but he notes there are other plugins out there that do the job, too.

The Problem with One-Click Installs

Many hosting providers now offer “one-click” installation for WordPress, which is seriously convenient and lets a lot of people get access to WordPress faster than they would normally. Of course, the simplicity of the process can come at a price, says Mike Murphy, owner of Erion Media, a web design and development company.

“…they almost always create those installations with a default user ‘admin’,” says Murphy, which makes your site vulnerable to brute force attacks. And they also tend to use “wp_” as the database table prefix of choice. Since this is the default in most documentation, this means hackers know it already. “An attacker can pretty much count on table names like wp_users,” Murphy says, which “eliminates any guesswork on the part of the attacker as to where a website’s data is stored.”

While you can easily change the user name and table prefix – which we’ll talk about in more detail later – the problem here is the assumption one-click installs create. Because your host offers it, many people assume it’s safe and secure. Unfortunately, this isn’t the case, which means a manual approach is likely to be a better idea.

How to Install WordPress

If you’re not using a one-click installation process, getting WordPress installed on your host should take about 10 minutes, says Burton. You’ll need a basic understanding of FTP and databases. There are several tutorials out there for going through this process, from selecting an FTP program and uploading files to setting up a database. Since the focus here is on security, I won’t bog this article down with those details.

Once all of your files are uploaded and the database has been created, you’ll be prompted to setup a username and password. The default username used to be “admin,” but thankfully more recent versions of WordPress don’t automatically insert this. Still, it’s recommended that you choose a username that is complicated and would be difficult for a hacker to guess. So that means: don’t make it your name or something equally guessable.

Same goes for your password. For the love all things holy, make it complicated! I know that’s inconvenient, but it’s a must. Hackers run brute force attacks to crack passwords, which means they run scripts that guess your password over and over again until they break through and gain access to your site. The more complicated the password, the longer it’ll take them to guess it. But usually, hackers will give up on trying to hack a site with a super complicated password because there are just so many others out there with a password of “password,” that they can prey upon.

Changing Your “Admin” Username

I’ve already talked about the importance of avoiding “admin” as a username and why you need a complicated password. But let’s say you got started with WordPress a while ago and the default username given to you was “admin.” As I said before, you can always create a new administrator for your site then delete the default username but if you already have a lot of posts and pages with the “admin,” author you might want to make this change through PHPMyAdmin.

To do this, log into your cPanel (assuming you have one here) then navigate to PHPMyAdmin. Next, select your WordPress database and scroll to the wp_users table. Find “admin,” and click Edit. Then just enter whatever new username you want in the user_login field. Your posts and pages will automatically be set to display this name as the author, you don’t have to delete anything and you reduce your risk of brute force attacks. And it takes like, what? Two minutes, at most.

Conclusion

Much of the time, people seem to think that WordPress security is something that’s tacked on after the fact through a plugin. And while that’s certainly an important part of the puzzle, you still need to do some things during installation to make sure everything’s secure from the get-go.

Be sure to check back soon for the next installment in this series. I’ll talk all about WordPress security as it relates to managing logins and your site in general. But in the meantime, did I miss anything? Have any hot tips I should know about that pertain to WordPress installation and security? Feel free to share in the comments below!

Brenda Barron

Brenda is a writer from southern California, a WordPress enthusiast, and Doctor Who addict. She contributes to several business and technology blogs, including her own, Digital Inkwell. You can follow her on Google+.

Eric Shefferman

On this point:
But usually, hackers will give up on trying to hack a site with a super complicated password because there are just so many others out there with a password of “password,” that they can prey upon.

For reference, this is data from one of my sites. I use the Limit Login Attempts plugin. I am the only user and never enter my password incorrectly because I log in via the ManageWP control panel. So every one of these is an attempt to hack the site. I don’t feel these numbers demonstrate hackers giving up, I think they demonstrate that brute force hacks are done via computer and computers never give up, or get bored, or tired. Brute force is the Terminator coming after a website.

Brenda Barron

Eric Shefferman

You say
And they also tend to use “wp_” as the database table prefix of choice. Since this is the default in most documentation, this means hackers know it already.

and then later say
Next, select your WordPress database and scroll to the wp_users table. Find “admin,” and click Edit.

Because yeah, everyone (including any hacker) knows the table will be prefixed with wp_ because WordPress put so much effort into enforcing that for so long that it can just be generally considered true. And whatever of a security vulnerability it is, it will continue to be.

They can make interesting theories about why having a username of admin is OK — but if a hacker goes to any random WP install, what are the odds that there’s an admin user and that 1/2 the brute force effort is thus taken care of?

So many of these vulnerabilities are built in. It’s at the point where I’d like to think that there are hackers with “bigger plans” who go around hacking sites and removing the hacks from lesser hackers so that they can do something really devious deep in the future rather than whatever lame stuff my sites are probably already hacked with.

Brenda Barron

Sam Mudra

I am not a WP developer and not a regular user of WP. I am an optimizer who is more into digital marketing. I used to get lots of questions and queries about this topic from many of my customers and clients, mostly after an issue. This article is good and I am keeping this as a document on demand. I will share this with few of clients and colleagues. It would be more helpful for me if you can point out if there are anything else or extra which need to be taken care of pre installation and post installation.

Brenda Barron

Michael M.

Please check out Bruteprotect for future articles as I am very interested in this plugin at https://bruteprotect.com. I just learned of it today when I installed Clef. Bruteprotect has been acquired by Automatic. -Thanks

WordPress exposes usernames publicly in several ways, so they should be assumed to be public information. (If you want to make them secrets, you can do that, but you will have to do a lot more than change them.) You should assume that someone might try to use your account usernames with a brute-force attempt to guess a corresponding password. Brute-force attacks are most problematic because they can drain your server resources and have a denial of service effect. The solution is an automatic account lockdown and/or IP ban after repeated login failures.